1
00:00:00,005 --> 00:00:02,000
- [Instructor] SQL server express

2
00:00:02,000 --> 00:00:04,004
comes as a free download for windows 10.

3
00:00:04,004 --> 00:00:07,002
I've got it installed on my windows 10 system,

4
00:00:07,002 --> 00:00:10,001
so let's go to the SQL server management studio.

5
00:00:10,001 --> 00:00:13,000
I'll take the default, SQL express instance,

6
00:00:13,000 --> 00:00:17,005
which in my case is shuttle SQL express.

7
00:00:17,005 --> 00:00:19,005
And we now have access to the instance

8
00:00:19,005 --> 00:00:21,002
in the management console.

9
00:00:21,002 --> 00:00:24,007
Let's make sure we set up to use transactional queries,

10
00:00:24,007 --> 00:00:29,003
let's select tools, options,

11
00:00:29,003 --> 00:00:33,008
query execution, SQL server, general,

12
00:00:33,008 --> 00:00:36,002
and check the box by default,

13
00:00:36,002 --> 00:00:41,009
open new queries in SQL command mode and okay.

14
00:00:41,009 --> 00:00:43,004
Let's also right click

15
00:00:43,004 --> 00:00:49,003
on the shuttle SQL express connection and select facets.

16
00:00:49,003 --> 00:00:53,009
We'll change the dropdown to service security

17
00:00:53,009 --> 00:00:59,006
and set XP command shell enabled

18
00:00:59,006 --> 00:01:04,003
to true, okay, okay.

19
00:01:04,003 --> 00:01:06,003
Ignore the message about server agents

20
00:01:06,003 --> 00:01:07,008
and close the dialogue.

21
00:01:07,008 --> 00:01:11,003
We can make a new database by right clicking databases

22
00:01:11,003 --> 00:01:15,003
and then entering the name Cleo.

23
00:01:15,003 --> 00:01:23,002
New database, Cleo, okay.

24
00:01:23,002 --> 00:01:27,003
And if we expand databases, we can see we have Cleo.

25
00:01:27,003 --> 00:01:29,006
We can import our Pharos table

26
00:01:29,006 --> 00:01:34,006
by right clicking on the Cleo database,

27
00:01:34,006 --> 00:01:42,006
selecting tasks import flat file

28
00:01:42,006 --> 00:01:47,005
and we'll specify the input file,

29
00:01:47,005 --> 00:01:52,008
which we have in our exercise folder.

30
00:01:52,008 --> 00:01:57,006
We'll click next and next

31
00:01:57,006 --> 00:01:59,009
and we'll set up the column names,

32
00:01:59,009 --> 00:02:03,008
which are Phid

33
00:02:03,008 --> 00:02:10,004
and which will make a small lint.

34
00:02:10,004 --> 00:02:21,001
Name, make the verchar to two.

35
00:02:21,001 --> 00:02:24,000
We'll put reign start,

36
00:02:24,000 --> 00:02:27,009
we'll just leave it as that.

37
00:02:27,009 --> 00:02:45,003
Reign end, dynasty and tomb as verchar eight.

38
00:02:45,003 --> 00:02:46,006
I won't bother with keys

39
00:02:46,006 --> 00:02:53,006
so we can just click next and finish, and close.

40
00:02:53,006 --> 00:02:55,006
Now we can use our windows command shell

41
00:02:55,006 --> 00:02:58,008
to execute transactional queries on the database.

42
00:02:58,008 --> 00:03:03,009
We, the SQL command program to connect to the SQL instance.

43
00:03:03,009 --> 00:03:07,000
Let's see what databases we have.

44
00:03:07,000 --> 00:03:17,007
Select name from sys dot databases, go

45
00:03:17,007 --> 00:03:19,006
and we list our databases.

46
00:03:19,006 --> 00:03:23,000
Let's use our Cleo database.

47
00:03:23,000 --> 00:03:26,003
Use Cleo, go.

48
00:03:26,003 --> 00:03:29,007
We can run a union select on this.

49
00:03:29,007 --> 00:03:37,000
Select name, from pharaoh

50
00:03:37,000 --> 00:03:46,006
union, select testing, go

51
00:03:46,006 --> 00:03:48,002
and when we get the results.

52
00:03:48,002 --> 00:03:49,007
Note the entry testing

53
00:03:49,007 --> 00:03:52,001
is in sort order in the results.

54
00:03:52,001 --> 00:03:56,003
We can access SQL server system names.

55
00:03:56,003 --> 00:04:05,001
Select no from pharaoh

56
00:04:05,001 --> 00:04:13,005
union select quote dollar bracket, SQLCMD user

57
00:04:13,005 --> 00:04:21,000
to get our current user bracket quote, go,

58
00:04:21,000 --> 00:04:24,002
and we get our username, which is user.

59
00:04:24,002 --> 00:04:25,000
If the instance

60
00:04:25,000 --> 00:04:27,009
has the command shell extended procedure configured,

61
00:04:27,009 --> 00:04:31,005
we can use this to run system commands.

62
00:04:31,005 --> 00:04:39,005
Execute, XP, command shell,

63
00:04:39,005 --> 00:04:49,000
who am I, go and where NT service MSSQL dollar, SQL express.

64
00:04:49,000 --> 00:04:51,002
If we encounter errors with command shell,

65
00:04:51,002 --> 00:04:53,003
it may be because it's not enabled.

66
00:04:53,003 --> 00:04:57,001
However we can enable it, if we're a sys admin.

67
00:04:57,001 --> 00:05:00,001
Let's see how we check, if we're a sys admin.

68
00:05:00,001 --> 00:05:03,000
We do this with select,

69
00:05:03,000 --> 00:05:12,001
no from Pharaoh union select

70
00:05:12,001 --> 00:05:25,003
is server role member, sys admin, go

71
00:05:25,003 --> 00:05:27,001
and we get a zero and a one back,

72
00:05:27,001 --> 00:05:30,008
the zero is the integer interpretation of the blank field

73
00:05:30,008 --> 00:05:32,008
and one is the sys admin flag.

74
00:05:32,008 --> 00:05:34,006
Indeed, we are a sys admin.

75
00:05:34,006 --> 00:05:37,000
Now, if we want to enable XP command shell,

76
00:05:37,000 --> 00:05:41,005
we can do that with four commands.

77
00:05:41,005 --> 00:05:56,004
Execute, SP, configure show advanced options, comma one.

78
00:05:56,004 --> 00:06:04,004
Reconfigure, execute, SP

79
00:06:04,004 --> 00:06:18,005
configure XP, command shell, comma one,

80
00:06:18,005 --> 00:06:22,006
reconfigure and go.

81
00:06:22,006 --> 00:06:23,005
In our case,

82
00:06:23,005 --> 00:06:26,006
we see that command shell has changed from one-to-one,

83
00:06:26,006 --> 00:06:28,008
we were already enabled for it.

84
00:06:28,008 --> 00:06:32,002
We can't use the XP command shell directly in the union,

85
00:06:32,002 --> 00:06:34,005
but if we have a multiline option on,

86
00:06:34,005 --> 00:06:37,008
then we can add it to the end of the line.

87
00:06:37,008 --> 00:06:45,001
Select no from pharaoh

88
00:06:45,001 --> 00:06:51,006
union select no execute,

89
00:06:51,006 --> 00:06:57,000
XP command shell,

90
00:06:57,000 --> 00:07:04,008
dir C code on slash users and go,

91
00:07:04,008 --> 00:07:07,000
and we get our directory listing out.

92
00:07:07,000 --> 00:07:09,009
There are other ways to access system capabilities.

93
00:07:09,009 --> 00:07:12,005
For example, using the cyst DMOS

94
00:07:12,005 --> 00:07:14,009
enumerate file system functions

95
00:07:14,009 --> 00:07:18,001
to list text files.

96
00:07:18,001 --> 00:07:22,003
We'll go and we found a user dot text file

97
00:07:22,003 --> 00:07:24,007
our normal pen testing flag.

98
00:07:24,007 --> 00:07:26,002
There are many of the cysts stored

99
00:07:26,002 --> 00:07:28,008
in extended procedures in SQL server,

100
00:07:28,008 --> 00:07:31,008
but these contend to be somewhat unreliable.

101
00:07:31,008 --> 00:07:33,003
Nevertheless, it's worth spending

102
00:07:33,003 --> 00:07:35,000
a bit of time exploring them.